Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12628
Total
849
Critical
3640
High
3960
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-39320 | HIGH | 7.5 | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated … | Apr 21, 2026 |
| CVE-2026-41331 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit … | Apr 21, 2026 |
| CVE-2026-41330 | MEDIUM | 4.4 | OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. … | Apr 21, 2026 |
| CVE-2026-41329 | CRITICAL | 9.9 | OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper … | Apr 21, 2026 |
| CVE-2026-41303 | HIGH | 8.8 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord … | Apr 21, 2026 |
| CVE-2026-41302 | HIGH | 7.6 | OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers … | Apr 21, 2026 |
| CVE-2026-41301 | MEDIUM | 5.3 | OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before … | Apr 21, 2026 |
| CVE-2026-41300 | MEDIUM | 6.5 | OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having … | Apr 21, 2026 |
| CVE-2026-41299 | HIGH | 7.1 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket … | Apr 21, 2026 |
| CVE-2026-41298 | MEDIUM | 5.4 | OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by … | Apr 21, 2026 |
| CVE-2026-41297 | HIGH | 7.6 | OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated … | Apr 21, 2026 |
| CVE-2026-41296 | HIGH | 8.2 | OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path … | Apr 21, 2026 |
| CVE-2026-41295 | HIGH | 7.8 | OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone … | Apr 21, 2026 |
| CVE-2026-41294 | HIGH | 8.6 | OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file … | Apr 21, 2026 |
| CVE-2026-41285 | MEDIUM | 4.3 | In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a … | Apr 21, 2026 |
| CVE-2026-40045 | MEDIUM | 5.7 | OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup … | Apr 21, 2026 |
| CVE-2026-35588 | MEDIUM | 6.3 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly … | Apr 21, 2026 |
| CVE-2026-35587 | UNKNOWN | — | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due … | Apr 21, 2026 |
| CVE-2026-35570 | HIGH | 8.4 | OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside … | Apr 21, 2026 |
| CVE-2026-34839 | UNKNOWN | — | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without … | Apr 21, 2026 |
| CVE-2026-5721 | MEDIUM | 4.7 | The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up … | Apr 20, 2026 |
| CVE-2026-34082 | UNKNOWN | — | Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to … | Apr 20, 2026 |
| CVE-2026-6729 | MEDIUM | 6.3 | HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other … | Apr 20, 2026 |
| CVE-2026-29643 | UNKNOWN | — | XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) contains an improper exceptional-condition handling flaw in its CSR subsystem (NewCSR). On affected versions, certain sequences of … | Apr 20, 2026 |
| CVE-2026-22051 | UNKNOWN | — | StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with … | Apr 20, 2026 |